Oh dear. SophosLabs has upset some malware authors

Filed Under: Featured, Malware, SophosLabs, Vulnerability, Web Browsers

Whilst dealing with the daily deluge of malicious files, it is nice for those of us working in SophosLabs to occasionally come across something amusing which can make us smile.


Sometimes even insults can be amusing (even complimentary), as we have previously noted.

Messages to Sophos (sorry, Sofos) within malicious code could be regarded as confirmation that the defences we are putting up are aggravating the criminals.

Earlier this week, a new message appeared in one of the active exploit kits:

Message added into the JavaScript of exploit kit landing page

This translates to:

Dear Sofos, what do you need from me? I do not understand. Please f*** off! ThankYou!

The exploit kit in question has been active for several months now, and Sophos products block it as Mal/ExpJS-AL.

As usual, compromised websites are responsible for driving traffic to the sites hosting the exploit kit. So even the most careful browsing could still expose you to such threats.

In the past 24 hours for example, pricing up some Angry Birds merchandise or checking out the latest shawl worn by Kate Middleton would have been enough to expose you to legitimate websites that have been injected with malicious JavaScript that kick starts the drive-by download chain.

See here for an excellent video describing exactly how drive by downloads work.

Hat-tip: Thanks to @kafeine who brought the message to our attention, and @ekwatcher for the sample.

, , , ,

You might like

8 Responses to Oh dear. SophosLabs has upset some malware authors

  1. Anon · 934 days ago

    That translation is incorrect, though close but incorrect.

    **Xyle tebe nado is more along the lines of wtf do you want and or don't you have anything better to do.
    **Ya Ne Ponimau = I don't get it.
    **Otebis please ot nas = Leave us the f*** alone.

  2. Nigel · 934 days ago

    Congratulations! It's always gratifying to know that one's efforts to thwart scumbaggery are hitting home..."home" in this case being somewhere in Russia, apparently.

  3. Rick Bunker · 934 days ago

    Uh, if I am transliterating it the way they meant it, "xyle tebe nado" is "хули тебе надо" which is much stronger than "what do you need from me" -- more like "what the f*** do you want from me?" It should be rendered kind of like Travis Bickle asking "Are you talking to me?"

    Then you did get the "f*** off" part translated properly. But overall it is somewhat nastier than your translation made it sound.

  4. Mark · 933 days ago

    awesome! you know your visibility is high when something like that happens

  5. Randy · 933 days ago

    Keep up the good work. Hopefully you can elicit even stronger responses from them in the future.

  6. Bacchanalia · 933 days ago

    A pedant writes ... "Messages to Sophos (sorry, Sofos) within malicious code could be regarded as confirmation that the defences we are putting up are irritating the criminals."

    aggravating means to make things worse...............I'd get out more, but it's raining...

  7. Wolf_Star · 933 days ago

    Regardless of how it's translated, they're obviously hitting them where it hurts!

    And that's a good thing.

  8. roy jones jr · 924 days ago

    Don't Russians have better things to do? You have like 5 time zones with eagles and hot women! Theres no need to have hacking rings in Russia!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.